Re: Select Any Table : Pros and Cons.
- From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Mon, 17 May 2004 10:16:34 +0100
Hi Nik
It depends on the version of course but if you grant select any table to
developers on an 8.1.7 database the default setting of
07_dictionary_accessibility will be true and granting this privilege
will allow them to see sys.user$ which holds password hashes that could
then be cracked off line, also the same with sys.user_history$,
dba_users (although other roles grant select on this), sys.link$ can
have clears text passwords for other databases. From 9i
o7_dictionary_accessibility is false so dictionary access is not
possible unless select any dictionary is granted or direct grants are
given or connect "as sysdba". From the perspective of non dictionary
access it depends on how sensitive your data is as to whether your
developers should be able to read it all. In general no privileges with
the word "ANY" in them should be granted. See a couple of good security
checklists on my site at http://www.petefinnigan.com/orasec.htm for some
guidelines on securing Oracle.
kind regards
Pete
--
Pete Finnigan
email:pete@xxxxxxxxxxxxxxxx
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
